Erich Blume
0108b68769
## Summary Adds the first cut of a local nix build for `docker.io/tailscale/tailscale` and rewires only the ringtail tailscale-operator overlay to use it. Indri's overlay continues pulling upstream — minikube on indri is being decommissioned in favor of ringtail's k3s, so investing in dual-cluster routing here would be wasted churn. ## Changes - `containers/tailscale/default.nix` — `buildGoModule` over `cmd/tailscale`, `cmd/tailscaled`, `cmd/containerboot`; packaged via `dockerTools.buildLayeredImage` with `cacert`, `iptables` (legacy symlink to match upstream Synology compat), `iproute2`, `tzdata`, `busybox`. - `argocd/manifests/tailscale-operator-ringtail/kustomization.yaml` — kustomize `images:` rewrite swapping `docker.io/tailscale/tailscale` → `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`. - `docs/changelog.d/mirror-tailscale-container.infra.md` — fragment. ## Pin rationale v1.94.2 matches `service-versions.yaml:96` and the current ProxyClass exactly — this PR is "make it local," not "upgrade tailscale." Version bumps come as follow-up C0/C1 changes once we decide to test newer (v1.96.x had a Fly-side MagicDNS regression; v1.98.0 is current upstream stable). ## Test plan - [x] Image built successfully on ringtail nix-container-builder (run #528). - [x] Image visible in registry: `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`. - [ ] Deploy from branch: `argocd app set tailscale-operator-ringtail --revision mirror-tailscale-container && argocd app sync tailscale-operator-ringtail`. - [ ] Verify proxy pods restart with new image and existing tailnet ingresses (e.g., authentik, immich, tempo) keep resolving. - [ ] After merge: rebuild on main SHA, update kustomization, run `services-check`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #347
24 lines
757 B
YAML
24 lines
757 B
YAML
---
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
namespace: tailscale
|
|
|
|
resources:
|
|
- ../tailscale-operator-base
|
|
- proxygroup-ingress.yaml
|
|
- external-secret.yaml
|
|
|
|
# Rewrite the proxyclass image to our local nix-built mirror.
|
|
# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
|
|
# pulls from upstream docker.io. A strategic merge patch is used instead of
|
|
# kustomize's `images:` directive because that directive only rewrites images
|
|
# in standard k8s container fields, not custom-resource fields like
|
|
# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
|
|
patches:
|
|
- path: proxyclass-image.yaml
|
|
target:
|
|
group: tailscale.com
|
|
version: v1alpha1
|
|
kind: ProxyClass
|
|
name: default
|